[Koha-bugs] [Bug 30444] Enable Shibboleth option for SelfCheck modules for Koha
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Aug 8 06:38:54 CEST 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30444
--- Comment #21 from David Cook <dcook at prosentient.com.au> ---
(In reply to David Cook from comment #20)
> I'm waiting on some client requirements for SAML SSO in SCO, and when I get
> those I should be able to provide more useful feedback/assistance as well.
I've heard back and their requirement is to use SAML SSO for SCO when the SCO
is a dedicated physical terminal in the library.
I'm going to see if they can do LDAP instead as it'll be more straightforward,
but here's my thought for a physical terminal SCO:
1. Go to SCO landing page
2. Click button to trigger SSO login
3. Redirect to SSO IdP
4. Login to SSO IdP
5. Redirect back to Koha SCO
6. Create Koha SCO session using the JWT
7. Redirect back to SSO IdP for logout
8. Redirect back to Koha SCO to proceed with JWT
It's a multi-hop process, but it could be smooth unless the SSO IdP has a
prompt for the logout.
I have less experience with SAML than OpenID Connect. With OIDC, you redirect
to a logout URL with a post_logout_redirect_uri, and it returns you to Koha
without the user really being any the wiser.
The alternative would be redirecting to the SSO IdP for logout when clicking
"Finish" or during a SCO timeout but... that seems more error prone to me.
Someone might step away and not fully logout and then someone else has access
to their authenticated session from a dedicated physical terminal...
--
Less of an issue of course if they're doing the self-checkout from their own
device online.
That's why I'm thinking we might need some way of differentiating the two
scenarios...
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list